Privacy watchdog calls on CEOs to take responsibility for data protection safeguards

By Tara Hutton

December 2, 2008

The number of data breaches reported to the Information Commissioner’s Office (ICO) has soared to 277 since HMRC lost 25 million child benefit records a year ago. New figures, released by the ICO, show 80 reported breaches by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector. The ICO is currently investigating 30 of the most serious cases. 

In an October speech Information Commissioner, Richard Thomas, highlighted the risks associated with large databases and the need for tougher sanctions to deter data breaches, and called on chief executives to take responsibility for the personal information held within their organisations. Stating that information can be a "toxic liability," he challenged CEOs to ensure that the amount of data held is minimised and that robust governance arrangements are in place. Richard Thomas firmly believes that accountability rests at the top and that CEOs must make sure that their organisations have the right policies and procedures in place, that privacy by design features are incorporated in technology used and that staff are properly trained to counter any risks. 

He said: ‘It is alarming that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues. We have already seen examples where data loss or abuse has led to fake credit card transactions, witnesses at risk of physical harm or intimidation, offenders at risk from vigilantes, fake applications for tax credits, falsified Land Registry records and mortgage fraud. Addresses of service personnel, police and prison officers and battered women have also been exposed. Sometimes lives may be at risk.

He continued: ‘The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total. How many PCs and laptops are junked with live data? How many staff do not tell their managers when they have lost a memory stick, laptop or disc? Many losses are probably simply undetected.
 
‘Personal information is now the lifeblood of government and business. Used properly and intelligently, personal information can lead to better customer service, improved efficiency, more effective law enforcement and protection of the vulnerable and a better quality of life for everyone. But this means respecting and protecting people’s privacy and personal information - data protection - has never been more important. As government, public, private and third sectors harness new technology to collect vast amounts of personal information, the risks of information being abused increases. It is time for the penny to drop. The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer. Put simply, holding huge collections of personal data brings significant risks.’

The ICO has long argued that its powers, sanctions and resources - fixed in another era - are now wholly inadequate and that a stronger approach is required to help prevent unacceptable information handling. Earlier this year Parliament decided that the ICO should have the power to impose substantial penalties for deliberate or reckless breaches. The organisation is working with the government to ensure these measures are implemented as soon as possible. The threat and reality of substantial penalties will concentrate minds and act as a real deterrent. The data protection notification fee for the largest organisations needs to be increased to give the ICO the resources needed to do its job properly. The ICO is also looking forward to new powers to undertake inspections and audits of data controllers. 

Richard Thomas is sceptical about placing a statutory duty on organisations to notify people directly whenever a breach occurs ‘ …it is doubtful that an appropriate law could satisfactorily distinguish in advance between situations where notification is needed and those where it is not. Each breach carries different levels of risk and, consequently, requires a different response.’

Following serious data breaches in the past year, the Information Commissioner’s Office has taken enforcement action against Orange Personal Communications Services Ltd, HMRC, the Ministry of Defence, the Department of Health, Virgin Media Ltd, Skipton Financial Services, the Foreign and Commonwealth Office, Carphone Warehouse and Talk Talk.

 

More...

Next Steps...